diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 000000000000..c9cc89adc29c --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,293 @@ +name: Build +'on': + workflow_call: + secrets: + AWS_ACCESS_KEY_ID: + required: true + AWS_SECRET_ACCESS_KEY: + required: true + AZURE_CLIENT_ID: + required: false + AZURE_CRT: + required: false + AZURE_TENANT_ID: + required: false + AZURE_SUBSCRIPTION_ID: + required: false + AZURE_VAULT_ID: + required: false + MACOS_CRT: + required: false + MACOS_ID: + required: false + MACOS_PWD: + required: false + +env: + RUST_VER: "1.63.0" + SHELL: "/bin/bash" + +permissions: + id-token: write + contents: read + +jobs: + build-windows: + name: 🪟 Build for Windows + runs-on: windows-latest-8-cores + env: + MOZ_NOSPAM: 1 + JSIGN_PATH: /c/ProgramData/scoop/shims/jsign-4.0.jar + steps: + - name: Checkout branch + uses: actions/checkout@v3 + + - name: Set build directory + run: | + $pattern = '[\\]' + $BUILD_DIR = $env:GITHUB_WORKSPACE -replace $pattern, '/' + echo "G_WORKSPACE=${BUILD_DIR}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append + + - name: Install depends + run: | + iwr -useb get.scoop.sh -outfile 'install.ps1' + .\install.ps1 -RunAsAdmin + scoop install wget sccache llvm nasm --global + mkdir -p ~\\scoop\\buckets\\my-bucket + Copy-Item -Path $env:GITHUB_WORKSPACE\\build\\github-actions\\mozilla-build.json -Destination ~\scoop\buckets\my-bucket + scoop install my-bucket/mozilla-build --global + rustup default $env:RUST_VER-pc-windows-msvc + + - name: Set system PATH variable + shell: bash + run: sed -i 's/SET PATH=.*/&;C:\\Rust\\.cargo\\bin;C:\\ProgramData\\scoop\\shims;C:\\ProgramData\\scoop\\apps\\llvm\\current\\bin/g' /c/ProgramData/scoop/apps/mozilla-build/current/start-shell.bat + + - name: Cache for Windows + uses: actions/cache@v3 + with: + path: | + ~/AppData/Local/Mozilla/sccache/cache + key: ${{ runner.os }}-${{ hashFiles('**/browser/config/version_display.txt') }} + + - name: Build + run: | + C:\\ProgramData\\scoop\\apps\\mozilla-build\\current\\start-shell.bat "$Env:G_WORKSPACE/build/github-actions/build.sh" + + - name: mach build installer + run: | + C:\\ProgramData\\scoop\\apps\\mozilla-build\\current\\start-shell.bat "$Env:G_WORKSPACE/build/github-actions/package.sh" + + - name: Fix JAVA_HOME_8_X64 for shell + run: | + $pattern = '[\\]' + $JAVA_HOME = $env:JAVA_HOME_8_X64 -replace $pattern, '/' + echo "JAVA_HOME_8_X64_SHELL=${JAVA_HOME}" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append + + - name: "\U0001FAAA Azure CLI Login via OIDC" + uses: azure/login@v1 + with: + client-id: '${{ secrets.AZURE_CLIENT_ID }}' + tenant-id: '${{ secrets.AZURE_TENANT_ID }}' + subscription-id: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' + + - name: Sign + run: | + cd $G_WORKSPACE + BROWSER_VERSION=`cat browser/config/version_display.txt` + /c/ProgramData/scoop/shims/wget.exe https://github.com/ebourg/jsign/releases/download/4.0/jsign-4.0.jar -P /c/ProgramData/scoop/shims/ + chmod +x /c/ProgramData/scoop/shims/ + pushd objdir-classic/dist/install/sea/ + 7z x waterfox-classic-$BROWSER_VERSION.en-US.win64.installer.exe + rm -f waterfox-classic-$BROWSER_VERSION.en-US.win64.installer.exe + find ./ -type f -name "*.exe" -exec $JAVA_HOME_8_X64_SHELL/bin/java.exe -jar $JSIGN_PATH --storetype AZUREKEYVAULT --keystore ${{ secrets.AZURE_VAULT_ID }} --alias ${{ secrets.AZURE_CRT }} --tsaurl "http://rfc3161timestamp.globalsign.com/advanced" --tsmode RFC3161 --alg SHA-256 --storepass "$(az account get-access-token --resource "https://vault.azure.net" --tenant ${{ secrets.AZURE_TENANT_ID }} | jq -r .accessToken)" {} \; + find ./ -type f -name "*.dll" -exec $JAVA_HOME_8_X64_SHELL/bin/java.exe -jar $JSIGN_PATH --storetype AZUREKEYVAULT --keystore ${{ secrets.AZURE_VAULT_ID }} --alias ${{ secrets.AZURE_CRT }} --tsaurl "http://rfc3161timestamp.globalsign.com/advanced" --tsmode RFC3161 --alg SHA-256 --storepass "$(az account get-access-token --resource "https://vault.azure.net" --tenant ${{ secrets.AZURE_TENANT_ID }} | jq -r .accessToken)" {} \; + 7z a -r -t7z app.7z -mx -m0=BCJ2 -m1=LZMA:d25 -m2=LZMA:d19 -m3=LZMA:d19 -mb0:1 -mb0s1:2 -mb0s2:3 + cp $G_WORKSPACE/browser/installer/windows/app.tag . + cp $G_WORKSPACE/other-licenses/7zstub/firefox/7zSD.sfx . + cat 7zSD.sfx app.tag app.7z > "WaterfoxClassic$BROWSER_VERSION.exe" + $JAVA_HOME_8_X64_SHELL/bin/java.exe -jar $JSIGN_PATH --storetype AZUREKEYVAULT --keystore ${{ secrets.AZURE_VAULT_ID }} --alias ${{ secrets.AZURE_CRT }} --tsaurl "http://rfc3161timestamp.globalsign.com/advanced" --tsmode RFC3161 --alg SHA-256 --storepass "$(az account get-access-token --resource "https://vault.azure.net" --tenant ${{ secrets.AZURE_TENANT_ID }} | jq -r .accessToken)" "WaterfoxClassic$BROWSER_VERSION.exe" + az logout + rm -rf core 7zSD.sfx app.tag app.7z setup.exe + popd + shell: bash + + - name: Get Previous tag + id: previoustag + uses: WyriHaximus/github-action-get-previous-tag@v1 + + - name: Generate update files + run: | + $pattern = '[\\]' + $env:BUILD_DIR = $env:GITHUB_WORKSPACE + $env:BUILD_DIR = $env:BUILD_DIR -replace $pattern, '/' + Write-Output $env:BUILD_DIR + $env:TAG = "${{ steps.previoustag.outputs.tag }}" + Write-Output $env:TAG + C:\\ProgramData\\scoop\\apps\\mozilla-build\\current\\start-shell.bat "$env:BUILD_DIR/build/github-actions/update.sh" + + - name: Upload artifact + uses: actions/upload-artifact@v3 + with: + name: Artifact_Classic_Windows_${{ github.run_id }} + path: | + ./objdir-*/dist/install/sea/*.exe + ./objdir-*/dist/update/waterfox-classic-*.en-US.*.complete.xz.mar + ./objdir-*/dist/update/update.xml + + build-linux: + name: 🐧 Build for Linux + runs-on: ubuntu-18.04 + container: + image: ghcr.io/waterfoxco/waterfox-classic_docker_img:latest + steps: + - name: Checkout branch + uses: actions/checkout@v3 + + - name: Cache for Linux + uses: actions/cache@v3 + with: + path: ~/.ccache + key: ${{ runner.os }}-${{ hashFiles('**/browser/config/version_display.txt') }} + + - name: Build + run: | + rustup default ${RUST_VER}-x86_64-unknown-linux-gnu + ./mach build + + - name: Package + run: | + ./mach package + + - name: Get Previous tag + id: previoustag + uses: WyriHaximus/github-action-get-previous-tag@v1 + + - name: Generate update files + run: | + export BUILD_DIR=$GITHUB_WORKSPACE + export TAG=${{ steps.previoustag.outputs.tag }} + chmod +x ./build/github-actions/update.sh + ./build/github-actions/update.sh + + - name: Upload Linux artifacts + uses: actions/upload-artifact@v3 + with: + name: Artifact_Classic_Linux_${{ github.run_id }} + path: | + ./objdir-*/dist/waterfox*.tar.bz2 + ./objdir-*/dist/update/waterfox-classic-*.en-US.*.complete.xz.mar + ./objdir-*/dist/update/update.xml + + build-mac: + name: 🍏 Build for macOS + runs-on: macos-11 + steps: + - name: Checkout branch + uses: actions/checkout@v3 + + - name: Set up Xcode version + uses: maxim-lobanov/setup-xcode@v1 + with: + xcode-version: "11.7" + + - name: Install depends + run: | + brew update + brew install autoconf@2.13 ccache make nasm yasm + rustup default ${RUST_VER}-x86_64-apple-darwin + + - name: Download SDK + run: | + wget https://github.com/phracker/MacOSX-SDKs/releases/download/11.3/MacOSX10.12.sdk.tar.xz + tar -xvf MacOSX10.12.sdk.tar.xz -C ../ + + - name: Cache for macOS + uses: actions/cache@v3 + with: + path: | + ~/Library/Caches/ccache + key: ${{ runner.os }}-${{ hashFiles('**/browser/config/version_display.txt') }} + + - name: Build + run: ./mach build + + - name: Package + run: | + ./mach package + + - name: Setup keychain + uses: apple-actions/import-codesign-certs@v1 + with: + p12-file-base64: ${{ secrets.MACOS_CRT }} + p12-password: ${{ secrets.MACOS_PWD }} + + - name: Get Previous tag + id: previoustag + uses: WyriHaximus/github-action-get-previous-tag@v1 + + - name: Sign .app + run: | + wget https://hg.mozilla.org/releases/mozilla-esr60/raw-file/tip/security/mac/hardenedruntime/codesign.bash https://hg.mozilla.org/releases/mozilla-esr60/raw-file/tip/security/mac/hardenedruntime/production.entitlements.xml + chmod +x ./codesign.bash + ./codesign.bash -a objdir-classic/dist/waterfox-classic/Waterfox\ Classic.app -i "${{ secrets.MACOS_ID }}" -e ./production.entitlements.xml + + - name: Create and sign DMG + run: | + BROWSER_VERSION=`cat browser/config/version_display.txt` + chmod +x ./browser/branding/unofficial/create-dmg + ./browser/branding/unofficial/create-dmg \ + --volname "Waterfox Classic Setup" \ + --volicon "browser/branding/unofficial/disk.icns" \ + --background "browser/branding/unofficial/background.png" \ + --window-pos 200 120 \ + --window-size 520 380 \ + --no-internet-enable \ + --icon-size 128 \ + --icon "Waterfox Classic.app" 100 178 \ + --hide-extension "Waterfox Classic.app" \ + --hdiutil-quiet \ + --format UDBZ \ + --eula "browser/branding/unofficial/license.txt" \ + --app-drop-link 400 178 \ + "objdir-classic/dist/waterfox-classic/Waterfox Classic ${BROWSER_VERSION} Setup.dmg" \ + "objdir-classic/dist/waterfox-classic/Waterfox Classic.app" + codesign -s "${{ secrets.MACOS_ID }}" -fv "objdir-classic/dist/waterfox-classic/Waterfox Classic ${BROWSER_VERSION} Setup.dmg" + xcrun altool --notarize-app -f "objdir-classic/dist/waterfox-classic/Waterfox Classic ${BROWSER_VERSION} Setup.dmg" --primary-bundle-id 'org.waterfoxproject.waterfoxclassic' -u ${{ secrets.MACOS_DEV_ID }} -p ${{ secrets.MACOS_DEV_PWD }} + + - name: Create MAR + run: | + BROWSER_VERSION=$(grep 'DisplayVersion=' ./objdir-classic/dist/waterfox-classic/Waterfox\ Classic.app/Contents/Resources/application.ini | cut -d'=' -f2) + mkdir -p ./objdir-classic/dist/update + xml=('' + '' + ' ' + ' ' + ' ' + '') + for line in "${xml[@]}" ; do echo $line >> ./objdir-classic/dist/update/update.xml ; done + chmod +x ./objdir-classic/dist/host/bin/mar + MAR=./objdir-classic/dist/host/bin/mar \ + ./tools/update-packaging/make_full_update.sh \ + ./objdir-classic/dist/update/waterfox-classic-$BROWSER_VERSION.en-US.osx64.complete.xz.mar \ + ./objdir-classic/dist/waterfox-classic/Waterfox\ Classic.app + VERSION=$(grep '\' ./objdir-classic/dist/waterfox-classic/Waterfox\ Classic.app/Contents/Resources/application.ini | cut -d'=' -f2) + BUILDID=$(grep 'BuildID=' ./objdir-classic/dist/waterfox-classic/Waterfox\ Classic.app/Contents/Resources/application.ini | cut -d'=' -f2) + SHA512=$(shasum -a 512 ./objdir-classic/dist/update/waterfox-classic-$BROWSER_VERSION.en-US.osx64.complete.xz.mar | awk '{print $1}') + SIZE=$(ls -l ./objdir-classic/dist/update/waterfox-classic-$BROWSER_VERSION.en-US.osx64.complete.xz.mar | awk '{print $5}') + echo "Display Version: $BROWSER_VERSION, Version: $VERSION, Build ID: $BUILDID, File Size: $SIZE, SHA512: $SHA512" + sed -i '' -e "s/OPERATING_SYSTEM/$OPERATING_SYSTEM/g" ./objdir-classic/dist/update/update.xml + sed -i '' -e "s/BROWSER_VERSION/$BROWSER_VERSION/g" ./objdir-classic/dist/update/update.xml + sed -i '' -e "s/VERSION/$VERSION/g" ./objdir-classic/dist/update/update.xml + sed -i '' -e "s/BUILDID/$BUILDID/g" ./objdir-classic/dist/update/update.xml + sed -i '' -e "s/SIZE/$SIZE/g" ./objdir-classic/dist/update/update.xml + sed -i '' -e "s/HASH/"$SHA512"/g" ./objdir-classic/dist/update/update.xml + sed -i '' -e "s/TAG/${{ steps.previoustag.outputs.tag }}/g" ./objdir-classic/dist/update/update.xml + + - name: Upload macOS DMG + uses: actions/upload-artifact@v3 + with: + name: Artifact_Classic_macOS_${{ github.run_id }} + path: | + ./objdir-*/dist/waterfox-classic/*.dmg + ./objdir-*/dist/update/*.mar + ./objdir-*/dist/update/update.xml diff --git a/.github/workflows/classic-release.yml b/.github/workflows/classic-release.yml index 2e805d139091..487d4ce60a28 100644 --- a/.github/workflows/classic-release.yml +++ b/.github/workflows/classic-release.yml @@ -1,8 +1,7 @@ name: Build Classic for Release on: - release: - types: [published] + workflow_dispatch: env: ENABLE_ARTIFACTS_MODE: "true" diff --git a/.github/workflows/release-pipeline.yml b/.github/workflows/release-pipeline.yml new file mode 100644 index 000000000000..d35591ab6f9e --- /dev/null +++ b/.github/workflows/release-pipeline.yml @@ -0,0 +1,27 @@ +name: Release Pipeline +on: + release: + types: [published] +jobs: + build: + name: Build + uses: ./.github/workflows/build.yml + secrets: + AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_ACCESS_KEY_SECRET }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_CRT: '${{ secrets.AZURE_CRT }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' + AZURE_VAULT_ID: '${{ secrets.AZURE_VAULT_ID }}' + MACOS_ID: '${{ secrets.MACOS_ID }}' + MACOS_PWD: '${{ secrets.MACOS_PWD }}' + MACOS_CRT: '${{ secrets.MACOS_CRT }}' + + release: + name: Release + uses: ./.github/workflows/release.yml + needs: build + secrets: + AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}' + AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_ACCESS_KEY_SECRET }}' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 000000000000..d236e58a2bdc --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,201 @@ +name: Release +'on': + workflow_call: + secrets: + AWS_ACCESS_KEY_ID: + required: true + AWS_SECRET_ACCESS_KEY: + required: true + +env: + SHELL: "/bin/bash" + +jobs: + checksum: + runs-on: ubuntu-latest-8-cores + steps: + - name: Checkout branch + uses: actions/checkout@v3 + + - name: Download all artifacts + uses: actions/download-artifact@v3 + with: + path: ./objdir-*/dist + + - name: Generate checksum file + run: | + mkdir ./dist + mv ./objdir-*/dist/Artifact_Classic_*_${{ github.run_id }}/objdir-*/dist/waterfox*.tar.bz2 ./dist/ + mv ./objdir-*/dist/Artifact_Classic_*_${{ github.run_id }}/objdir-*/dist/waterfox-classic/Waterfox*.dmg ./dist/ + mv ./objdir-*/dist/Artifact_Classic_*_${{ github.run_id }}/objdir-*/dist/install/sea/*.exe ./dist/ + cd ./dist/ + checksumFile=$(basename waterfox*.tar.bz2 | sed 's/.tar.bz2//g' | sed 's/.linux-x86_64//g' | sed 's/.en-US//g'| sed 's/$/.sha256/g') + sha256sum waterfox*.tar.bz2 | tee -a "$checksumFile" + sha256sum Waterfox*.dmg | tee -a "$checksumFile" + sha256sum Waterfox*.exe | tee -a "$checksumFile" + + - name: Get Previous tag + id: previoustag + uses: WyriHaximus/github-action-get-previous-tag@v1 + + - name: Upload SHASUM + uses: ncipollo/release-action@v1 + with: + allowUpdates: true + artifacts: ./dist/waterfox*.sha256 + tag: ${{ steps.previoustag.outputs.tag }} + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload artifact + uses: actions/upload-artifact@v3 + with: + name: Artifact_Classic_Checksum_${{ github.run_id }} + path: ./dist/waterfox*.sha256 + + upload: + runs-on: ubuntu-latest-8-cores + steps: + - name: Checkout branch + uses: actions/checkout@v3 + + - name: Download all artifacts + uses: actions/download-artifact@v3 + with: + path: ./objdir-*/dist + + - name: Get Previous tag + id: previoustag + uses: WyriHaximus/github-action-get-previous-tag@v1 + + - name: 🪟 Upload Windows Installer + uses: ncipollo/release-action@v1 + with: + allowUpdates: true + artifacts: ./objdir-*/dist/install/sea/*.exe + artifactContentType: application/vnd.microsoft.portable-executable + tag: ${{ steps.previoustag.outputs.tag }} + token: ${{ secrets.GITHUB_TOKEN }} + + - name: 🪟 Upload Windows MAR + uses: ncipollo/release-action@v1 + with: + allowUpdates: true + artifacts: ./objdir-*/dist/update/waterfox-classic-*.en-US.*.complete.xz.mar + tag: ${{ steps.previoustag.outputs.tag }} + token: ${{ secrets.GITHUB_TOKEN }} + + - name: 🐧 Upload Linux Installer + uses: ncipollo/release-action@v1 + with: + allowUpdates: true + artifacts: ./objdir-*/dist/waterfox*.tar.bz2 + artifactContentType: application/zip + tag: ${{ steps.previoustag.outputs.tag }} + token: ${{ secrets.GITHUB_TOKEN }} + + - name: 🐧 Upload Linux MAR + uses: ncipollo/release-action@v1 + with: + allowUpdates: true + artifacts: ./objdir-*/dist/update/waterfox-classic-*.en-US.*.complete.xz.mar + tag: ${{ steps.previoustag.outputs.tag }} + token: ${{ secrets.GITHUB_TOKEN }} + + - name: 🍎 Upload macOS Artifacts + uses: ncipollo/release-action@v1 + with: + allowUpdates: true + artifacts: ./objdir-*/dist/waterfox-classic/*.dmg,./objdir-*/dist/update/*.mar + tag: ${{ steps.previoustag.outputs.tag }} + token: ${{ secrets.GITHUB_TOKEN }} + + aus-upload-dryrun: + runs-on: ubuntu-latest-8-cores + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_EC2_METADATA_DISABLED: true + AWS_REGION: us-west-2 + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + steps: + - name: Checkout branch + uses: actions/checkout@v3 + + - name: Download all artifacts + uses: actions/download-artifact@v3 + with: + path: ./objdir-*/dist + + - name: Get Previous tag + id: previoustag + uses: WyriHaximus/github-action-get-previous-tag@v1 + + - name: Dry run AUS + run: | + mkdir win64 + mkdir linux64 + mkdir osx64 + mv ./objdir-*/dist/Artifact_Classic_Linux_${{ github.run_id }}/objdir-*/dist/update/update.xml ./linux64/ + mv ./objdir-*/dist/Artifact_Classic_macOS_${{ github.run_id }}/objdir-*/dist/update/update.xml ./osx64/ + mv ./objdir-*/dist/Artifact_Classic_Windows_${{ github.run_id }}/objdir-*/dist/update/update.xml ./win64/ + os=(win64 linux64 osx64) + for o_sys in ${os[@]} + do + update_loc=$o_sys/update.xml + dir=${o_sys/64/-classic} + aws s3 cp --content-type="text/xml" --metadata-directive="REPLACE" $update_loc \ + s3://aus.waterfox.net/update/old/test/$dir/update.xml + for j in $(aws s3 ls s3://aus.waterfox.net/update/old/$o_sys/ | awk '{OFS=" "};{if ($1=="PRE") print $2}') + do + ver=$(echo $j | sed 's/\///g') + if [[ $j == 'old/' ]] + then + continue + elif [[ $j != '/' ]] + then + aws s3 cp --dryrun --content-type="text/xml" --metadata-directive="REPLACE" $update_loc \ + s3://aus.waterfox.net/update/old/$o_sys/$ver/en-US/release/update.xml + fi + done + done + + touch blank.xml + echo '' > blank.xml + tag=${{ steps.previoustag.outputs.tag }} + version=${tag/-classic/} + os=(linux64 osx64 win64) + for i in ${os[@]} + do + aws s3 cp --content-type="text/xml" --metadata-directive="REPLACE" blank.xml \ + s3://aus.waterfox.net/update/old/$i/$version/en-US/release/update.xml + done + + aus-upload-release: + runs-on: ubuntu-latest-8-cores + needs: [aus-upload-dryrun] + environment: hard-release + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_EC2_METADATA_DISABLED: true + AWS_REGION: us-west-2 + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + steps: + - name: Upload to AUS + run: | + os=(win64 linux64 osx64) + for o_sys in ${os[@]} + do + dir=${o_sys/64/-classic} + update_loc=s3://aus.waterfox.net/update/old/test/$dir/update.xml + for j in $(aws s3 ls s3://aus.waterfox.net/update/old/$o_sys/ | awk '{OFS=" "};{if ($1=="PRE") print $2}') + do + ver=$(echo $j | sed 's/\///g') + if [[ $j == 'old/' ]] + then + continue + elif [[ $j != '/' ]] + then + aws s3 cp --content-type="text/xml" --metadata-directive="REPLACE" $update_loc \ + s3://aus.waterfox.net/update/old/$o_sys/$ver/en-US/release/update.xml + fi + done + done